ENVIRONMENT

  • Sun One Management Agent

PROBLEM STATEMENT

In doing a Full and/or a Delta Import on a Sun One Management Agent we are seeing several Discovery Errors with the wording "multi-single mismatch". Clicking the object link or the "multi-single mismatch" links in the errors section displays the Object Error Details dialog.

 

We then took a look at the Run History after exporting it to XML, and found the error message listed there. However, no more information other than the DN of the object.

RUN HISTORY

<ma-discovery-errors>

<ma-object-error><error-type>multi-single-mismatch</error-type><dn>((( OBJECT DN )))</dn><anchor>fd9cae02-1dd111b2-8076e6a0-e33eba5b</anchor></ma-object-error>

 

From there, we dumped the hologram of the object to see what the object looked like in the connector space.

STEPS TO EXPORT CONNECTOR SPACE OBJECT

Open and Administrative Command Prompt and Navigate to %programfiles%\Microsoft Forefront Identity Manager\2010\Synchronization Service\Bin folder

Execute the following command and then press the ENTER key

csexport <name of the sun one management agent> badobject.xml /f:d=<dn of bad object>

 

On receipt of the badobject.xml, we reviewed the connector space information for multi-valued attributes. Since the problem was being exposed on Import, we reviewed the "pending-import-hologram" section. We can identify a multi-value attribute by looking for the word multivalued. The XML element multivalued has a true or false setting. We were able to identify the multivalued and single valued attributes, but that is about it at this point.

MULTI-VALUED ATTRIBUTES

<pending-import-hologram>

<entry dn="((( OBJECT DN )))">

<anchor>fd9cae02-1dd111b2-8076e6a0-e33eba5b</anchor>

<parent-anchor>3b38b2e6-1dd211b2-802ae6a0-e33eba5b</parent-anchor>

<primary-objectclass>inetOrgPerson</primary-objectclass>

<objectclass><oc-value>top</oc-value>

<oc-value>Person</oc-value>

<oc-value>inetOrgPerson</oc-value>

<oc-value>organizationalPerson</oc-value>

<oc-value>(( OC VALUE )))</oc-value>

</objectclass>

<attr multivalued="false" type="string" name="MyMailAttribute">

<value>mymail@mymail.com</value>

</attr>

<attr multivalued="true" type="string" name="MyPersonAffliation">

<value>Full Time Employee</value>

</attr>

 

We then ran a network trace and we were able to locate an LDAP Result for a specific UID that was failing.

NETWORK TRACE

Frame: Number = 2903, Captured Frame Length = 210, MediaType = ETHERNET

+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-50-56-B2-00-15],SourceAddress:[00-10-DB-FF-21-50]

+ Tcp: Flags=...AP..., SrcPort=LDAP(389), DstPort=65307, PayloadLen=156, Seq=4213507664 - 4213507820, Ack=2781020950, Win=49640 (scale factor 0x0) = 49640

Ldap: Search Result Entry, MessageID: 1234567

- LDAPMessage: Search Result Entry, MessageID: 1234567

+ ParserHeader:

+ MessageID: 1234567

+ OperationHeader: Search Result Entry, 4(0x4)

- SearchResultEntry: changenumber=987654,cn=changelog

+ ObjectName: changenumber=987654,cn=changelog

+ Attributes: 3 Partial Attributes

 

We then reviewed the Sun One Change Log information for that specific changenumber. Notice the modification add to MyMailAttribute. If we go back and check MyMailAttribute in the badobject.xml file, we can see that it is a single valued attribute.

SUN ONE CHANGE LOG

BADOBJECT.XML

changeNumber: 987654

changeType: modify

targetDn: ((( OBJECT DN )))

 

changes:

 

add: MyMailAttribute

MyMailAttribute: msftengineer@microsoft.com

-

replace: modifiersname

modifiersname: cn=managers

-

replace: modifytimestamp

modifytimestamp: 20130108052303Z

<attr multivalued="false" type="string" name="MyMailAttribute">

<value>mymail@mymail.com</value>

</attr>

 

RESOLUTION

To resolve the issue, we followed these steps:

  • Made MyMailAttribute a multivalued attribute
  • Refresh Schema on the Sun One Management Agent
  • Run a Full Import (Stage Only)
  • Run a Full Synchronization